Financial institutions also assume certain fraud-related risks
when issuing credit, debit, and ATM cards either in-house or under
contract to third parties. Inadequate internal controls or
ineffective card and PIN issuance procedures may result in
fraudulent customer transactions. Inappropriate separation of
duties that allow employees access to both customer account and PIN
information exposes the institution to potential employee
fraud.

Embossing and encoding blank plastic card stock, if conducted
in-house, should be performed in a secure area and include
inventory controls, accounting controls for the number of cards
used (including test and reject cards), and dual controls for blank
card stock storage. Procedures for the interim storage and
accounting of card stock should exist for all cards not under dual
control. Adequate controls should also exist for captured
cards (cards confiscated by an ATM machine or elsewhere).

Accountability controls should also be established to ensure all
cards initially disbursed from the storage area are either
delivered to the mail area or destroyed. Returned cards
should be handled by a function independent of the mail
department. Control cards should be mailed randomly to
customers and their delivery should be validated within a few days
to ensure that no theft has taken place.

PIN generation should be done at the time of card
issuance. Active PIN information should be controlled,
including encrypting the information on storage devices.
Access to PIN databases should be restricted on a need-to-know
basis. Staff access to PIN information should be reviewed
periodically to confirm controls are current and working
effectively.

The PIN should not appear in printed form, and staff members
should not be able to retrieve or display a customer PIN
online. PIN mailers should be processed and delivered with
the same level of security used for mailing cards, and an active
PIN should never be included with the card mailed to a
customer.

The PIN should not be transmitted unencrypted, and the PIN
system should record the number of unsuccessful PIN entries,
restricting access to a customer's account after a limited number
of attempts. If a customer forgets the PIN, he or she should
select a new one rather than having staff retrieve the old one.

For institutions that outsource these functions to service
providers, written agreements should define roles and
responsibilities and detail control and problem resolution
procedures. Effective vendor management should include a periodic
review of service providers control environments and relevant
internal and external audit reports.